Schwab Admits Security Hole

Share

Schwab Admits Security Hole

SAN FRANCISCO – Charles Schwab Corp. confirmed last week that its market-leading Web brokerage was vulnerable to a common security flaw that could allow a hacker to hijack subscribers' stock trading accounts, but said the risk was small and no user accounts had been accessed.

The news, first reported by a website specializing in Internet security issues, makes Schwab the second online brokerage to admit to such a vulnerability after E-Trade Group did so last month.

"It's like having your connection hijacked," said John Vranesevich, with security consultancy AntiOnline.

The flaw, known as "cross-site scripting," means that private information such as passwords and bank account numbers that users type into the Schwab website – and are often stored in users' Web browsers in files called 'cookies' – can theoretically be rerouted to a hacker's e-mail address or website.

While cross-site scripting is a well-known problem in the security community, experts emphasize that there have been no known attacks on websites yet – including Schwab's.

"We haven't seen this sort of attack out in the field yet," Vranesevich said, adding that cross-site scripting "is technically difficult. You wouldn't see some 12 year old doing it."

Schwab has implemented some temporary measures and hopes to have a permanent fix ready by year's end, according to Greg Gable, a Schwab spokesman. He said the flaw posed an "extremely, extremely small" risk.

"There would need to be a whole set of circumstances,"Gable said. The hacker "would need to know your e-mail and when you're logged-on. And you would need to read and respond to an e-mail while you're logged in" to Schwab's site.

Other online brokers surveyed by Reuters said they were not similarly vulnerable.

"Our systems are configured differently," said Mike Dunn, a spokesman for New York-based Datek Online, a subsidiary of Datek Online Holdings Corp. "We've never had that problem and we never will."

Ameritrade Holding Corp. also said its online trading site has no such problems.

"Cookies are used only to manage customer Web sessions once the customer has connected to the site," an Ameritrade spokesman said. "The cookie does not contain passwords or other personal identification information that could be used by unauthorized individuals to initiate an Ameritrade online trading session."

Hackers who actually gained access to a Schwab account would be able to perform most functions of the actual account holder, though, due to extra security measures, would not be able to actually withdraw money, according to experts.

Schwab, which has many subscribers in Asia and Europe, said clients can cut the risk of such a flaw by refusing e-mails while logged into their account and logging off accounts when idle.

When asked if Schwab would compensate account holders who sustained financial losses through such a hacker attack, Gable replied: "Schwab investigates all such cases of fraud thoroughly."

News of the security flaw was posted on a security website called Bugtraq earlier this week by a freelance security expert who claimed that Schwab had not taken action for several months after first telling them of the risk. Schwab's Gable disputed that account, saying the brokerage had immediately begun working on temporary counter-measures.

E-Trade said it had security flaws in its online trading system in late September.